From da1401b3f5ee438ff4b94d8e7fecb686309e1577 Mon Sep 17 00:00:00 2001 From: twesterhever <40121680+twesterhever@users.noreply.github.com> Date: Tue, 9 Apr 2024 11:14:16 +0000 Subject: [Minor] Improve FREEMAIL_AFF detection --- conf/composites.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'conf/composites.conf') diff --git a/conf/composites.conf b/conf/composites.conf index e38d64e6b..a36d0449f 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -163,7 +163,7 @@ composites { group = "scams"; } FREEMAIL_AFF { - expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)"; + expression = "(FREEMAIL_FROM | FREEMAIL_ENVFROM | FREEMAIL_REPLYTO | FREEMAIL_MDN) & (TO_DN_RECIPIENTS | R_UNDISC_RCPT) & (INTRODUCTION | FROM_NAME_HAS_TITLE | FREEMAIL_REPLYTO_NEQ_FROM_DOM | SUBJECT_HAS_CURRENCY)"; score = 4.0; policy = "leave"; description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; -- cgit v1.2.3 From 89f1c81a275993e83991a0ea7a87e58404f1839e Mon Sep 17 00:00:00 2001 From: twesterhever <40121680+twesterhever@users.noreply.github.com> Date: Tue, 9 Apr 2024 11:17:33 +0000 Subject: [Minor] Add composite for suspicios free/disposamail MDN usage --- conf/composites.conf | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'conf/composites.conf') diff --git a/conf/composites.conf b/conf/composites.conf index a36d0449f..da14ce3a5 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -168,6 +168,13 @@ composites { policy = "leave"; description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; } + SUSPICIOS_MDN { + expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)"; + score = 2.0; + policy = "leave"; + description = "Message delivery notification should go to freemail or disposable e-mail, but message was not sent from a freemail address"; + group = "scams"; + } REDIRECTOR_URL_ONLY { expression = "HFILTER_URL_ONLY & REDIRECTOR_URL"; score = 1.0; -- cgit v1.2.3 From e4fcdfd2765c57d356f2e38d4f24b95ebef15550 Mon Sep 17 00:00:00 2001 From: twesterhever <40121680+twesterhever@users.noreply.github.com> Date: Tue, 9 Apr 2024 11:19:11 +0000 Subject: [Minor] Fix typo in rule name --- conf/composites.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'conf/composites.conf') diff --git a/conf/composites.conf b/conf/composites.conf index da14ce3a5..d3c4f073b 100644 --- a/conf/composites.conf +++ b/conf/composites.conf @@ -168,7 +168,7 @@ composites { policy = "leave"; description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; } - SUSPICIOS_MDN { + SUSPICIOUS_MDN { expression = "(FREEMAIL_MDN | DISPOSABLE_MDN) & !(FREEMAIL_FROM | FREEMAIL_ENVFROM)"; score = 2.0; policy = "leave"; -- cgit v1.2.3